This doesn't stop the form from being reprocessed if the user hits "Back" (if they tell their browser to resubmit)
–
philfreoOct 29 '09 at 21:48

2

@philfreo- actually, it does prevent it. Most frameworks today will issue a "302 Moved" header, which effectively tells the browser to use the results page for the history during back-button navigation.
–
Caffeine ComaOct 5 '12 at 11:42

What about in Single Page Applications, where somebody posted to your app ?
–
jamiebarrowOct 2 '13 at 10:52

The simple fact that resubmitting the form generates a duplicate transaction is worrying. You should have some sort of check to ensure each submit of form data is unique.

For example, the page which would submit the form should be given a unique ID that gets submitted with the form. The business logic should then be able to recognise that the form submitted has already been processed (as the (no longer) unique ID will be the same), so ignores the second attempt.

The 'standard way' still doesn't stop clients from clicking the back button twice... or even going back and resubmitting the form if they don't think (for whatever reason) it has been processed.

Perform header redirect to results page (or to original form page). If required, display custom message from processing page. Such as "Error Credit Card payment was rejected", and reset session variables.

The header redirect will initiate a GET request on "yourfilehere.php", because a redirect is simply that, a "request" to fetch data FROM the server, NOT a POST which submits data TO the server. Thus, the redirect/GET prevents any further DB/payments processing occurring after a refresh. The 301 error status will help with back button pressing.

The submit button triggers an xmlhttp(ajax) request to the server to create a session variable named after the token with a stored value of 1.

The ajax request submits the form after receiving a positive state change.

The form processing script checks for the session variable withe the stored value of 1.

The script removes the session variable and processes the form.

If the session variable is not found, the form will not be processed. Since the variable is removed as soon as its found, the form can only be run by pressing the submit button. Refresh and back will not submit the form. This will work without the use of a redirect.